Four Visions of the Future of Identity
Asking for static information like a mother's maiden name seems increasingly passé, since shared "secrets" can be stolen or gleaned from the Internet. But without a brilliant alternative, and done with care, knowledge-based authentication still has value.March 24
I don't normally buy $300 of pizza. But it's not as unusual as my credit card issuer might think.
Once a year I throw an event for about 500 people. I don't know who all of them are, or when or where the guests will show up. For the most part, they are responsible for themselves, but I often throw in special surprises.
Last year, I spontaneously decided to send 15 pizzas to the local bar where we gathered. I placed the order over the phone, but my credit card was declined, even though my account was in good standing. Since I was a few blocks from the shop, I went over in person. I tried three credit cards – each of them declined in turn. My friends tried their credit cards and after several tries found one that worked.
Apparently, buying 15 pizzas was outside our normal purchase activity. Twenty minutes after my attempted purchase, I received a bank alert for possible fraud.
Predictive analytics are useful, but there are valid outliers. And fraudulent activities are more likely to fit into the bell curve of typical activity. I was delighted my bank was looking out for me – but there was no user-friendly way to confirm the pizzas were an authentic outlier purchase. We're going to hit the limit of predictive analytics eventually.
My pizza tale may be a First World problem, but it's just one example of where our legacy identity system gets it wrong.
In the legal and banking worlds, the concept of identity is tied to our hand musculature (signature), our homes (address confirmation), our biometric outputs (fingerprints) and our past behavior (reputation and credit score). However, when you go online, your identity is not confined to the physical world. It expands and is customized for specific activities and needs. Sometimes we need bank-grade security, such as when making purchases; other times a pseudonym suffices.
And a pseudonym can lend its reputation to and validate a traditional identity. For instance, a company called Karma calculates reputation scores for people based on data across multiple sites (Craigslist, Facebook, LinkedIn, etc.) but allows users to choose which of those sites are displayed on their profiles. So I could take advantage of the reputational capital I've built, say, on eBay, as the seller known as "mojave999" without outing myself as the owner of that account.
We need to think about identity in new ways, such as:
- Platforms of trust. As the sharing economy matures, platforms like AirBnB are not merely an intermediary between guests and hosts; they have become platforms for verified trust.
- Group identity. The way we think about identity is antiquated. The future shouldn't limit identity to individuals only, for example.
- Smart software. Predictive analytics are useful, but as my experience shows, there are valid outliers.
- Portable, interoperable identity. Technology needs to bridge silos, not build more of them.
We are living through a time of rapid technology development. Most of the time, we focus on the technological aspects – developing new products to disrupt those of the previous epoch. However, by focusing on technology, we risk ignoring the concurrent social changes and value shifts. It would be a shame to implement new technology based on outdated social beliefs.
Facilitated Identity Verification
"I only rent my Geodesic dome to guests with verified identities."
As more peer-to-peer businesses develop, there's an increasing demand for trust. In 2013, AirBnB introduced Verified ID, a service to increase the trust in new guest accounts that didn't have recommendations. As a host myself, I won't rent to a guest who doesn't have a photo, bio and several pieces of verified data.
Today, AirBnB offers eight ways for members to verify aspects of their identity. These range from the basics, such as an email and phone number, to social media platform validations (Facebook, Google, LinkedIn) to traditional personal data (like the questions a credit card application asks) to previously verified identity – your American Express card, for example. AirBnB does the job of verifying the actual user data and then displays the verification token, so site users don't need access to one other's sensitive personal information. They only need to know the verification is valid.
The Digital Asset Grid, a research project led by Peter Vander Auwera at the Society for Worldwide Interbank Financial Telecommunication in 2012, pioneered a similar vision. (I worked on the project, producing a video demonstrating three use cases.) Why require everyone to individually verify data many times over, when a platform could do this for you? You didn't need to know the details of the data, only that it was properly verified. In one of our examples, we showed a sufficient funds verification (without disclosing any financial details) as a motorcycle purchase was negotiated.
Outsourcing identity verification can reduce corporate data risk. When verifying identity using an external data set, a local copy isn't needed. You store the verifications, but not what was verified. This reduces the risk of a data breach, since you're not holding as much valuable information that a crook would want to steal.
Making identity verification available across AirBnB's platform reduces this risk for each host as well. Prior to the Verified ID program, hosts had to ask for personal ID directly from the guest. And who knows what data security practices hosts might have followed? It's safer for all parties to use a platformwide verification system.
AirBnB and the Digital Asset Grid are appropriate blueprints for future verified identity systems where it's necessary to share verified credentials while securing personal data. Verified identities increase the trust between transaction parties, leading to greater satisfaction.
Beyond Individuals: the Millennial Holy Grail
Banks are after the elusive millennial demographic. But if they are only going after individual millennials, they're chasing the wrong market.
Last year Brett King, the founder of Moven, described a hypothetical example of distributed ownership of an autonomous, self-driving car. Instead of buying a vehicle, you'd buy a share in one. That car might have its own P&L and accept and initiate payments. After Brett's post appeared, Ford announced a pilot shared-ownership car program (without the self-driving part).
There are many reasons individuals might want to share resources in a group. They might be producing an event, art project, a very-early-stage startup or living in a group arrangement. The project has costs, and they might accept sponsorship or sell tickets. There's money coming in and being spent.
In this scenario, someone is taking financial risk. This might be an individual using a personal bank account to receive funds and pay bills. In addition, that person takes on the tax risk as well. You might want different people authorized to make purchases. This situation calls for a combined identity with financial and legal protections – not as expensive an entity to set up as a corporation, easier to dissolve when the project is over, but designed to let multiple parties take responsibility.
Beyond people, you might want to authorize software to make a purchase on your behalf. Who authorizes the transaction when you push the Amazon dash button for more toilet paper in the guest bathroom? (The dash button is a Wi-Fi-connected device that, when pushed, reorders regularly purchased items. True story, a friend leaves his Amazon dash in the guest bathroom.)
Smart objects able to make purchases will arrive sooner rather than later. Some objects will have identities of their own, while others may be nested as part of a set of identities with specific functionalities that might include financial responsibility and automated transaction activities. Simple bill-pay activities might evolve into self-executing smart contracts.
We're jury-rigging these situations today, passing the risk to individuals. But how long will this last? Legal systems don't have the structures to allow these kinds of complex identities. We need to develop structures that allow risk to be shared across multiple individuals in a lightweight way without the overhead of legal incorporation.
With such structures in place, banks could develop a hybrid account that combines business and individual functionalities. Imagine a house account that is set up to automatically pay rent and bills, and might even schedule and pay for grocery deliveries. Income into this account might come from regular habitants (roommates), selling solar energy back into the grid or even by renting a room on AirBnB. Today, this is normally handled by an individual or a legal corporate structure. But that's an awful lot of overhead in terms of costs and tax liabilities.
Portable, Interoperable Identity
Identity is not just an issue for those of us fortunate enough to have spare rooms to rent on AirBnB or Amazon gizmos in our bathroom. Without an accepted way to prove you are who you say you are (a legal identity and address confirmation) banks are unable to give you an account due to know-your-customer regulations. According to the World Bank's 2014 Global findex database (the most recent year available) there are still 2 billion unbanked adults globally. In addition, there are an estimated 60 million refugees worldwide.
India is trying to solve this problem with the Aadhaar card, the world's largest national ID project. Interestingly, the Aadhaar card offers an electronic KYC application programming interface that private-sector businesses can use to facilitate the setup of bank accounts and other services. In Estonia a mobile phone SIM card acts as the identifier through the MobileID program.
Then there are those looking to solve the global identity problem through the blockchain, the distributed-ledger technology pioneered by bitcoin. The problem is that blockchain identity is another silo – and certainly there will be several companies developing their own blockchain-based identity solutions. The thing is, we don't need more silos. We need standards, portability and interoperability.
Identity is about context. I like the AirBnB model that leverages verifications (like the Amex card) to create a comprehensive identity from many pieces of data. The more verifications, the more complete a picture that can be created. Karma, as mentioned above, is working on an aggregated reputation platform. Can you imagine something that similarly aggregates identity?
If you want meet the future head-on, rather than respond to the inevitable disruption, consider these four recommendations.
- Smarter software: Make financial intelligence more human-friendly. Leverage technology for fraud prevention while creating a user-friendly purchase authorization, so valid outlier purchases, like my pizza order, can be confirmed in real time to complete the transaction.
- Identity as a service: Use diverse methods to verify identity. Outsource your identity verification with diverse modules. Don't rely on one component, and select modes that are already familiar to your customers, as AirBnB does.
- Agile identities: Develop a legal framework for ad-hoc group and machine identities with financial functionality, and develop products for lightweight combined group identities, such as housemates or startup founders.
- Interoperable identity: Develop an OAuth-like solution for banking and an e-KYC API like the Aadhaar card. Impress upon regulators the need to expand the set of accepted documents for KYC to reflect changing times and to promote financial inclusion while preventing illicit activity. Things like verified social media accounts or, in the case of immigrants or refugees, foreign national IDs (even ones that have expired) may work as well as a utility bill.
Working together, banks, technologists and other stakeholders can build the future of identity – a future that leverages the best technology has to offer and keeps sensitive data secure while enabling portability and just as easily interfaces with human as well as machine intelligences.
Heather Schlegel is a futurist tracking the future of money, economies, identity, wearable tech, relationships, augmented intelligence and humanity. She is best known by her online moniker, Heathervescent. Her research has been covered in The New York Times, CNN, American Banker, CNBC, Fox and The Atlantic. Schlegel speaks, researches and consults through her company, The Purple Tornado. Follow her on Twitter @heathervescent.